Article

A large-scale study of web password habits

Authors:

Dinei Florencio,

Cormac HerleyAuthors Info & Claims

WWW '07: Proceedings of the 16th international conference on World Wide Web

Pages 657 - 666

https://doi.org/10.1145/1242572.1242661

Published: 08 May 2007 Publication History

Get Access

Abstract

We report the results of a large scale study of password use andpassword re-use habits. The study involved half a million users over athree month period. A client component on users' machines recorded a variety of password strength, usage and frequency metrics. This allows us to measure or estimate such quantities as the average number of passwords and average number of accounts each user has, how many passwords she types per day, how often passwords are shared among sites, and how often they are forgotten. We get extremely detailed data on password strength, the types and lengths of passwords chosen, and how they vary by site. The data is the first large scale study of its kind, and yields numerous other insights into the role the passwords play in users' online experience.

References

[1]

http://www.rsasecurity.com.

Google Scholar

[2]

http://www.passwordresearch.com.

Google Scholar

[3]

A. Adams and M. A. Sasse. Users are not the Enemy. Comm. ACM, 1999.

Digital Library

Google Scholar

[4]

B. Efron and R. Thisted. Estimating the number of unknown species: How many words did Shakespeare know? Biometrika, 1976.

Google Scholar

[5]

D. V. Klein. Foiling the Cracker: A Survey of, and Improvements to, Password Security. Usenix Security Workshop, 1990.

Google Scholar

[6]

F. T. Grampp and R. H. Morris. UNIX Operating System Security. Bell System Tech. Jorunal, 1984.

Google Scholar

[7]

E. Gaber, P. Gibbons, Y. Matyas, and A. Mayer. How to make personalized web browsing simple, secure and anonymous. Proc. Finan. Crypto '97.

Digital Library

Google Scholar

[8]

W. Gale. Good-Turing Smoothing Without Tears. Statistics Research Reports from AT&T Laboratories 94.5, AT&T Bell Laboratories, 1994.

Google Scholar

[9]

J. Yan and A. Blackwell and R. Anderson and A. Grant. Password Memorability and Security: Empirical Results. IEEE Security & Privacy, 2004.

Digital Library

Google Scholar

[10]

Jefferson Wells Inc. Microsoft Phishing Filter Feature in Internet Explorer 7 and Windows Live Toolbar. 2006. http://www.jeffersonwells.com/clientauditreports/Microsoft PF IE7IEToolbarFeature Privacy Audit 20060728.pdf.

Google Scholar

[11]

Anti-Phishing Working Group. http://www.antiphishing.org.

Google Scholar

[12]

R. Morris and K. Thompson. Password Security: A Case History. Comm. ACM, 1979.

Digital Library

Google Scholar

[13]

B. Ross, C. Jackson, N. Miyake, D. Boneh, and J. C. Mitchell. Stronger password authentication using browser extensions. Proceedings of the 14th Usenix Security Symposium, 2005.

Digital Library

Google Scholar

[14]

M. E. Russinovich and D. A. Solomon. Microsoft Windows Internals. Microsoft Press, 2005.

Google Scholar

Cited By

View all

Choi SKim DSeo S(2024)Parallel Implementation of Scrypt: A Study on GPU Acceleration for Password-Based Key Derivation FunctionJournal of information and communication convergence engineering10.56977/jicce.2024.22.2.9822:2(98-108)Online publication date: 30-Jun-2024
https://doi.org/10.56977/jicce.2024.22.2.98
Kolenbrander JHusmann EHenshaw CRheault EBoswell MMichaels A(2024)Use & Abuse of Personal Information, Part II: Robust Generation of Fake IDs for Privacy ExperimentationJournal of Cybersecurity and Privacy10.3390/jcp40300264:3(546-571)Online publication date: 11-Aug-2024
https://doi.org/10.3390/jcp4030026
Goel ARahulamathavan Y(2024)A Comparative Survey of Centralised and Decentralised Identity Management Systems: Analysing Scalability, Security, and FeasibilityFuture Internet10.3390/fi1701000117:1(1)Online publication date: 24-Dec-2024
https://doi.org/10.3390/fi17010001
Show More Cited By

Index Terms

A large-scale study of web password habits
1. Security and privacy
  1. Security services
    1. Authentication

Recommendations

Comments

Information & Contributors

Information

Published In

WWW '07: Proceedings of the 16th international conference on World Wide Web

May 2007

1382 pages

ISBN:9781595936547

DOI:10.1145/1242572

General Chairs:
Carey Williamson
University of Calgary, Canada
,
Mary Ellen Zurko
IBM, USA
,
Program Chairs:
Peter Patel-Schneider
Bell Labs Research, USA
,
Prashant Shenoy
University of Massachusetts at Amherst, USA

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 May 2007

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

WWW'07

Sponsor:

WWW'07: 16th International World Wide Web Conference

May 8 - 12, 2007

Alberta, Banff, Canada

Acceptance Rates

Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

638
Total Citations
View Citations
5,998
Total Downloads

Downloads (Last 12 months)357
Downloads (Last 6 weeks)46

Reflects downloads up to 22 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Choi SKim DSeo S(2024)Parallel Implementation of Scrypt: A Study on GPU Acceleration for Password-Based Key Derivation FunctionJournal of information and communication convergence engineering10.56977/jicce.2024.22.2.9822:2(98-108)Online publication date: 30-Jun-2024
https://doi.org/10.56977/jicce.2024.22.2.98
Kolenbrander JHusmann EHenshaw CRheault EBoswell MMichaels A(2024)Use & Abuse of Personal Information, Part II: Robust Generation of Fake IDs for Privacy ExperimentationJournal of Cybersecurity and Privacy10.3390/jcp40300264:3(546-571)Online publication date: 11-Aug-2024
https://doi.org/10.3390/jcp4030026
Goel ARahulamathavan Y(2024)A Comparative Survey of Centralised and Decentralised Identity Management Systems: Analysing Scalability, Security, and FeasibilityFuture Internet10.3390/fi1701000117:1(1)Online publication date: 24-Dec-2024
https://doi.org/10.3390/fi17010001
Bao YZeng JYang JYang RLu Z(2024)The Effect of Domain Terms on Password SecurityACM Transactions on Privacy and Security10.1145/370335028:1(1-29)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3703350
Zou YLe KMayer PAcquisti AAviv ASchaub F(2024)Encouraging Users to Change Breached Passwords Using the Protection Motivation TheoryACM Transactions on Computer-Human Interaction10.1145/368943231:5(1-45)Online publication date: 30-Aug-2024
https://dl.acm.org/doi/10.1145/3689432
Saleh MElagroudy PLukowicz PSturm C(2024)Ghost Readers of the Nile: Decrypting Password Sharing Habits in Chatting Applications among Egyptian WomenProceedings of the ACM on Human-Computer Interaction10.1145/36765068:MHCI(1-43)Online publication date: 24-Sep-2024
https://dl.acm.org/doi/10.1145/3676506
Kablo EKader KArias-Cabarcos P(2024)"I'm actually going to go and change these passwords": Analyzing the Usability of Credential Audit Interfaces in Password ManagersExtended Abstracts of the CHI Conference on Human Factors in Computing Systems10.1145/3613905.3650889(1-13)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613905.3650889
Hutchinson AMunyendo CAviv AMayer P(2024)An Analysis of Password Managers’ Password Checkup ToolsExtended Abstracts of the CHI Conference on Human Factors in Computing Systems10.1145/3613905.3650741(1-7)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613905.3650741
Sharma TNair VWang HWang YSong D(2024)“I Can’t Believe It’s Not Custodial!”: Usable Trustless Decentralized Key ManagementProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642464(1-16)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642464
Xie ZShi FZhang MMa HWang HLi ZZhang Y(2024) GuessFuse : Hybrid Password Guessing With Multi-View IEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.337624619(4215-4230)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3376246
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Web Password Book: Discreet Password Book - Password Saver - 5 by 8 With 300 Password Records - Password Reminder Vol.10 Password Book

Web Password Book: 5 by 8 - An Alphabetical Internet And Password - 300 Password Records Vol.9 Password Book

Web Password Book: Internet Password Organizer - (Discreet Password Journal) - An Internet Address Password Journal - Vol.4 Password Book